Government creates “long overdue” national security team
The government has announced plans to establish a “long overdue” national computer emergency response team (CERT).
The security plans were revealed by Cabinet Office minister Francis Maude, as he updated the government on the progress of the Cyber Security Strategy unveiled a year ago.
Maude said the strategy was making “good progress” and making “notable achievements” – citing the Olympics holding up under cyber-attack as one example – but noted “there is still much work to do”.
One plan is to set up a national CERT. This will bring together public and private security resources to coordinate responses to threats such as malware. The US has had one in place since 2003, and the UK has a CERT focused on government-run systems, but this would the first looking at the UK as a whole.
The move is intriguing as the government decided in 2010 that a national CERT wouldn’t improve UK security, as part of a report into European security.
Security school: academics take on cyberterrorists
“The Government understands the argument that a national CERT would be of no added value to the UK, and that the current CERT network provides more effective protection,” a government statement said at the time. “At this stage, we need to keep an open mind as to the best structures to support cyberdefence and response in future”.
At the time, Lord Jopling, the chair of the EU security report, asked for reassurance that the government would resist setting up a “national CERT just to satisfy the [European] Commission’s yearning for tidiness”.
Now, the UK-wide CERT looks set to happen. “We are reviewing our national approach to cyber incident management, particularly in the light of the successful Olympics response,” Maude said, adding it would “build on and complement our existing CERT structures, improve national coordination of cyber-incidents, and act as a focus point for international sharing of technical information on cybersecurity”.
Rik Ferguson, director of security research and communications at Trend Micro, said the establishment of a UK-wide CERT is “actually long overdue”.
“A CERT should act as the 24-hour operations team of the National Cybersecurity Centre, helping individuals, enterprises and the public sector to collaborate and share information about current and potential security threats, offering a single resource for dissemination of information, cooperation across disciplines and for event reporting,” he said. “It is a critical part of any coordinated cybersecurity policy.”
Another idea mooted by Maude is to create a “Cyber Reserve”, allowing security services to “draw on the wider talent and skills of the nation in the cyberfield”.
“The services will engage additional experts to support their work in defending against the growth in cyberthreats,” the Cabinet Office said in a separate document. “These will be supporting roles to the Joint Cyber Units across the full spectrum of cyber and information assurance capability.”
Ferguson said there’s already “wide and deep cooperation between industry and government”.
“The character of those relationships though is organisational rather than interpersonal,” he noted. “The creation of a Cyber Reserve will give the government a large pool of expertise to draw from, should the need arise, irrespective of which company those people work for at any given time.”
“Security services have great expertise in house, but that doesn’t mean they can afford to hire the best people in each and every field,” added Luis Corrons, director of PandaLabs. “It would be a mistake not to count of people that would happily support their country. There is a lot of highly skilled professionals in the private sector, and taking advantage of that is something that nowadays it is needed.”
Further details on the Cyber Reserve weren’t available, with Maude saying an official announcement would come next Spring.
The government also revealed plans to boost academic study of the subject by setting up additional research centres and an online academic journal, and also said it would create a system to certify cybersecurity training courses.
Aside from high-level programmes such as CERT, the government is also planning to take a more practical approach, “mainstreaming cybersecurity messages across the breadth of its communication with the citizen”.
Maude gave one example of what that could mean, saying visitors to the HMRC website will be warned if their browser is out of date, and told what “threat this might pose to their online security”.